Category Archives: Data Factory

Managed Identity auth against PowerBi Rest API’s

on https://learn.microsoft.com/en-us/rest/api/power-bi/ I couldn’t (easily) find if Managed Identities are supported when using the PowerBI rest API, especially the ‘asadmin’ parts.

The documentation also doesn’t really show (or I couldn’t find it), for what audience to request a token. Using a Logic App I eventually got it to work after a lot of trial and error 🙂

For those googling this, I encountered a bunch of these first before finding the right audience of ‘https://api.fabric.microsoft.com’

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://api.fabric.microsoft.com/.default was not found in the tenant named XXXXX. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://api.powerbi.com was not found in the tenant named XXX

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://analysis.windows.net/powerbi/api/.default was not found in the tenant named XXX

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://analysis.windows.net was not found in the tenant named XXX

Sharepoint Online and Azure Datafactory using Managed Identity

Let’s face it, Microsoft’s documentation on using Sharepoint as a data source (or sink) in ADF is pretty bad. And it doesn’t even describe how to use the Managed Identity of ADF, who still wants to register separate app credentials? Noooooo you don’t.

So here’s an example how to use Managed Identity to read a json file from a given SpO site, using minimal permissions given to ADF.

  1. Enable MI in datafactory, I’m assuming you know how to do this.
  2. Give ADF Sites.Selected Graph permissions, e.g. like this:
Param(
    [Parameter(Mandatory=$true)][String]$displayName="{NAMEOFADFINSTANCE}",
    [Parameter(Mandatory=$true)][String]$role="Sites.Selected"
)
Connect-AzureAD 
$Msi = (Get-AzureADServicePrincipal -Filter "displayName eq '$displayName'")
Start-Sleep -Seconds 10
$baseSPN = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
$AppRole = $baseSPN.AppRoles | Where-Object {$_.Value -eq $role -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $Msi.ObjectId -PrincipalId $Msi.ObjectId -ResourceId $baseSPN.ObjectId -Id $AppRole.Id
$Msi.AppId
  1. Go to https://yourtenant.sharepoint.com/sites/yoursite/_api/site/id and copy the Edm Guid:
get sharepoint site ID / guid
  1. Go to https://developer.microsoft.com/en-us/graph/graph-explorer. Log in at the top right using a user with sufficient permissions (Sites.FullControl.All), set the mode to POST, add the EDM guid in the URL and create the request body as follows (the id in the body can be found back in step 2, $Msi.AppId)
authorize managed identity on sharepoint site
  1. Create a REST linked service in ADF with Managed Identity auth:
create graph rest linked identity
  1. Create data source in ADF of type REST
  1. Replace the “uri” with the direct url of the file you want to read (or use an alternative method). Example uri:
    https://graph.microsoft.com/v1.0/sites/ee614b6d-de15-4101-1c12-14e4cd3186a9/drive/root:/General/Input_files/test.json:/content